Getting In Bed With Robin Sage presented at Blackhat USA 2010

by Thomas Ryan,

Tags: Security Exploitation

Summary : Given the vast number of security breaches via the internet, the experiment seeks to exploit the fundamental levels of information leakage—the outflow of information as a result of people’s hap-hazard and unquestioned trust. The experiment was conducted by creating a blatantly false identity and enrolling on various social networking websites. By joining networks, registering on mailing lists, and listing false credentials, the conditions were then set to research people’s decisions to trust and share information with the false identity. The main factors observed were: the exploitation of trust based on gender, occupation, education/credentials, and friends (connections).
By the end of this Experiment, Robin finished the month having accumulated 100’s connections through various social networking sites. Contacts included executives at government entities such as the NSA, DOD and Military Intelligence groups. Other friends came from Global 500 corporations. Throughout the experiment Robin was offered gifts, government and corporate jobs, and options to speak at a variety of security conferences.
Through this 28 day experiment, it became evident that the propagation of a false identity via social networking websites is rampant and viral. Much of the information revealed to Robin Sage violated OPSEC procedures. The deliberate choice of an attractive young female exposed the role that sex and appearance plays in trust and people’s eagerness to connect with someone. In conjunction with her look, Robin Sage’s credentials listed on her profile resulted in selection perception; people’s tendency to draw unwarranted conclusions in their attempt to make a quick decision. By acquiring a large number of connections, Robin had the ability to identify the individual who was positioned to provide the most intelligence based on their involvement in multiple government agencies. The false identity combined with carefully chosen false credentials led to a false trust that could have resulted in the breach of multiple security protocols.